Quantum Secret Sharing

Suppose Alice and Bob wish to set up a joint checking account:
neither of them can access it alone, but together, they can withdraw
money. One way to do this is to require a secret password, for
instance 011 100 001 010, to use the account. Neither Alice
nor Bob alone has this password. Instead, Alice has a string of
random numbers 101 010 010 001, and Bob has the bitwise XOR
of the key and Alice's bitstring:

key

011 100 001 010

Alice

101 010 010 001

Bob

110 110 011 011

Neither Alice nor Bob has any information about the key, but by
putting their two codewords together, they can completely recover the
key and access the bank account.

This is a simple example of a classical secret sharing
scheme. The secret bank account password is shared between Alice
and Bob. Much more elaborate secret sharing schemes exist. For
instance, it is possible to share a secret among 3 people so that any
two of them can reconstruct it, but any single person has no
information about it. In fact, it is possible to share a secret among
n people so that any k of them can reconstruct it, but any k-1 of them
have no information about the secret, for any n and k. This is known
as a (k, n) threshold scheme.

Classical secret sharing can be used in a number of ways besides
for a joint checking account. The secret key could access a bank
vault, or a computer account, or any of a variety of things. In
addition, secret sharing is a necessary component for performing
secure distributed computations among a number of people who do not
completely trust each other.

With the boom in quantum computation,
it seems possible, even likely, that quantum states will become nearly
as important as classical data. It might therefore be useful to have
some way of sharing secret quantum states as well as secret classical
data. Such a quantum secret sharing scheme might be useful
for sharing quantum keys, such as those used in quantum key distribution or in other quantum cryptographic protocols. In addition,
quantum secret sharing might allow us to take advantage of the
additional power of quantum computation in secure distributed
computations.

Consider the following simple example, sharing a three-state
quantum trit (a qutrit) among three people:

No matter what the encoded state is, any single person is equally
likely to find himself holding |0>, |1>, or |2>, so he has no
information about the encoded state. On the other hand, any two
people can easily reconstruct the secret. For instance, Alice and
Bob, holding shares a and b, compute (b-a) mod 3. By doing this
quantum mechanically, they can disentangle the phase as well, thus
reconstructing the state, even if it is in a quantum superposition.
This is thus an example of a ((2, 3)) quantum threshold scheme: any
two people can reconstruct the secret, but one person alone has no
information.

In fact, we can create a ((k, n)) quantum threshold scheme for any
k and n, as long as n < 2k. The reason for this constraint is the
No-Cloning Theorem, which states that it is impossible to copy a
quantum state. If we had a ((k, 2k)) threshold scheme, we could use
it to encode a state, take two sets of k shares, and use them to
reconstruct two copies of the original state. Since we know this is
impossible, no such scheme can exist.